Your password reset links are being used by unknown IPs, even after real users click them. This is a big security risk, meaning the links or emails are being intercepted.
To fix it:
Make links one-time use: Once a user resets their password, the link should expire immediately. If a user requests multiple links, only the newest one should work.
Keep links short-lived: Make links expire quickly (e.g., within an hour).
Use secure, random links: Make sure the reset links are complex and impossible to guess.
Always use HTTPS: Ensure your website's password reset pages are secure (HTTPS).
Don't email passwords: Only send a link to create a new password on your site.
Monitor attempts: Keep logging all reset attempts to spot suspicious activity.
Notify users: Email users if a reset was requested (especially if they didn't do it) and when a password is changed.
Add rate limits & CAPTCHA: Limit how many reset requests can be made to stop automated attacks.
End all sessions on reset: When a password is changed, log out the user from all devices.
These steps will help protect your users' accounts.